commit 54e38878133e773338308e227bc839a2515f14ba from: Omar Polo via: Thomas Adam date: Sat Mar 02 00:19:56 2024 UTC fix invalid imsg_free() in got_privsep_recv_printed_commits() Depending on the error got_privsep_recv_imsg() may leave imsg un-initialized, so change it to always free the imsg on error if needed, so callers don't have to. got_privsep_recv_printed_commits() and got-read-patch were the only places where we could end up calling imsg_free() on uninitialized imsg, fix them. ok stsp@ commit - eb0f0005dd7c9fa9b95084632cc50d5d61ed81a0 commit + 54e38878133e773338308e227bc839a2515f14ba blob - 0e97b2c937873b7c5db92e61abfb7035c1636fec blob + bfe6f67b6065aabb9a1a27b1531267cc64064f47 --- lib/privsep.c +++ lib/privsep.c @@ -141,12 +141,16 @@ got_privsep_recv_imsg(struct imsg *imsg, struct imsgbu return got_error_from_errno("imsg_get"); } - if (imsg->hdr.len < IMSG_HEADER_SIZE + min_datalen) + if (imsg->hdr.len < IMSG_HEADER_SIZE + min_datalen) { + imsg_free(imsg); return got_error(GOT_ERR_PRIVSEP_LEN); + } if (imsg->hdr.type == GOT_IMSG_ERROR) { size_t datalen = imsg->hdr.len - IMSG_HEADER_SIZE; - return recv_imsg_error(imsg, datalen); + err = recv_imsg_error(imsg, datalen); + imsg_free(imsg); + return err; } return NULL; @@ -3510,10 +3514,8 @@ got_privsep_recv_painted_commits(struct got_object_id_ for (;;) { err = got_privsep_recv_imsg(&imsg, ibuf, 0); - if (err){ - imsg_free(&imsg); + if (err) return err; - } datalen = imsg.hdr.len - IMSG_HEADER_SIZE; if (imsg.hdr.type == GOT_IMSG_COMMIT_PAINTING_DONE) { blob - 7bf370400776135b9714b33fc935b71dfb20c1cc blob + 483df2f9aed30e5bf089d9dd29ed6b95f95ccc1c --- libexec/got-read-patch/got-read-patch.c +++ libexec/got-read-patch/got-read-patch.c @@ -692,8 +692,8 @@ main(int argc, char **argv) goto done; } err = got_privsep_flush_imsg(&ibuf); -done: imsg_free(&imsg); +done: if (fd != -1 && close(fd) == -1 && err == NULL) err = got_error_from_errno("close"); if (fp != NULL && fclose(fp) == EOF && err == NULL)